Companies have their work cut out ensuring consumer data isn’t falling into the wrong hands. Luke Frost from Digital Data Communications explains how.
Every business, whether large or small, needs to have a customer-facing website these days, and in the 12 months to May 2014, Australians spent $15.3 billion on online retail sales, reports Australian security services company Seccom Global.
While this level of online activity is great for commerce in Australia, it also brings with it a host of problems – potentially very damaging ones. Marketing companies and web developers know that a website needs security, but many do not understand the depth of online threats that exist, and the ever-evolving complexity of attacks.
Regardless of whether a website sells directly to the public, or simply exists as a tool to host marketing information and contact details, an attack can be disastrous to business credibility and continuity. Imagine a client happily selling from the web one minute, then having to contact an entire customer base and explain that their security has been compromised. Payment details may have fallen into the hands of criminals, a foreign entity may be blackmailing the company or simply there has been a malicious attack and sales can’t continue as the online inventory is down.
Such a large target as Australia’s online business will inevitably be tempting to all manner of cyber criminals, and the sophistication of today’s hackers makes websites increasingly vulnerable. Most websites have a basic level of protection, usually in the form of a firewall at the domain of their host. However, a firewall is often a poor defence against modern attacks, leaving websites open to theft and fraud, which is severely damaging to a company’s reputation and business.
Attacks can take many forms, and are constantly evolving in size, scope and complexity. DoS or Denial of Service attacks are designed to disable a network or a network resource by consuming available resources and thus disabling legitimate user access. There are two general forms of DoS attacks: those that crash services and those that flood services so that normal business operations cannot continue.
Ransomware is the terminology used for software that infects a victim’s network, and then demands a ransom in order for hackers to unlock it. Cryptoware and Cryptolocker are two common examples of this form of attack.
Another form of cybercrime is the ‘waterhole attack’, where the attacker will gather strategic information about a business, such as trusted websites often visited by employees, then insert an exploit into the selected site. Victims will visit the compromised site and unintentionally download malware such as Remote Access Trojans, allowing the attacker access to confidential information or to take control of vulnerable systems.
Phishing, identity theft, triangulation attacks, botnets, zero-day attacks – there are many more dangers lurking in the cyber world, and Australian businesses need to be vigilant in order to stop them. A plan, a top-line defence and a strategy for reporting potential hazards to the authorities are all essential in order to preserve a stable business and customer trust.
Michael Demery, one of Australia’s leading data security experts, said: “Imagine what an attack could do to your business. Aside from leaving customers open to potential credit card and identity theft, the very fact that your resources were attacked could be very damaging to the company’s reputation. Being the source of a damaging and debilitating attack could cause endless headaches, and take a long time to recover from.”
When focusing on protecting a website it is important to recognise that all sites are different. A business website can be as simple as a single static HTML page with no dependencies, through to complex sites utilising multiple operating systems and software applications working in synergy with each other.
A firewall working alone is simply not enough protection these days. Businesses in Australia need a security plan, some basic form of risk assessment, a strong, dedicated online security provider and a means of telling the proper authorities when an attempted attack takes place.
A Managed Security Services Provider (MSSP) can offer far greater protection to a business, as well as providing invaluable reports on where attacks are coming from. With the dangers becoming ever more sophisticated, risking business continuity by leaving things to chance simply isn’t a wise option any more.
Guard against attack…by planning ahead. Make sure you are on top of the following:
- Educate yourself and users of the potential risks
- Understand your responsibilities
- Monitor and manage any potential incursions
- Implement strong password and encryption technologies
- Invest in Tier 1 security tools and systems to protect your site
- Work with security focused service providers
- Report any incursions promptly to the correct authorities